Merge

flake.lock

@@ -531,8 +531,8 @@
         "nixpkgs": "nixpkgs_9"
       },
       "locked": {
-        "lastModified": 1737870551,
-        "narHash": "sha256-KOYxo5/vnDOLX1uodNNe0+2kU1tVj0i5nqYx79Q1LbI=",
+        "lastModified": 1739938885,
+        "narHash": "sha256-h19Bg+BTV/51MiCnKa3rN3QbRC74cBWjBHhDrpVgdXM=",
         "path": "/persist/dots/scripts/sydnix-cli",
         "type": "path"
       },

hosts/deertopia/configuration.nix

@@ -87,6 +87,7 @@
     sshfs
     waypipe
     sydnix-cli.packages.x86_64-linux.default
+    (import ../../scripts/port-tools { inherit pkgs; })
   ];
 
   services.openssh = {

modules/nixos/deertopia/authelia.nix

@@ -148,23 +148,5 @@ in {
            locations."/api/authz".proxyPass = "$upstream";
          };
        };
-
-       # TODO: Remove this.  It's only used for a quick demo for myself.  The
-       # domain choice is arbitrary.  It's just one I happen to have set up.
-       sydnix.deertopia.nginx.vhosts."ldap" = {
-         directory = null;
-         vhost = {
-           forceSSL = true;
-           enableACME = true;
-           extraConfig = ''
-            include ${./authelia/authelia-location.conf};
-           '';
-           locations."/".extraConfig = ''
-             include ${./authelia/authelia-authrequest.conf};
-             include ${./authelia/proxy.conf};
-             root /persist/deertopia.net/ldap;
-           '';
-         };
-       };
      });
 }

modules/nixos/deertopia/copyparty.nix

@@ -29,13 +29,23 @@ in {
     services.copyparty = {
       enable = true;
       settings = {
-        # These three options are necessary for SSO integration.  No idea what
-        # they do. }:)
-        xff-src = "lan";
+        # These three options (`idp-h-usr`, `idp-h-grp`, `xff-src`) are
+        # necessary for SSO integration.
+
+        # The HTTP headers (provided by the coproxy) where Copyparty can expect
+        # to find the user's name and groups.
         idp-h-usr = "remote-user";
         idp-h-grp = "remote-groups";
+        # For security reasons, Copyparty will only acknowledge those headers
+        # when the request comes from a known IP address specified here.  In our
+        # case, we tell it to accept requests from any private IP.
+        xff-src = "lan";
       };
       volumes = {
+        "/Soulseek" = {
+          path = "/var/lib/slskd";
+          access.r = "*";
+        };
         "/Jellyfin" = {
           path = "/persist/vault/jellyfin";
           # View and upload, but no deleting.